Microsoft’s first spherical of Patch Tuesday updates for 2026 addresses 112 vulnerabilities, together with a zero-day that has been actively exploited in assaults.
The exploited vulnerability is tracked as CVE-2026-20805 and it has been described by Microsoft as an important-severity info disclosure difficulty within the Desktop Home windows Supervisor part of Home windows.
“Publicity of delicate info to an unauthorized actor in Desktop Home windows Supervisor permits a certified attacker to reveal info domestically,” Microsoft stated in its advisory, including, “The kind of info that may very well be disclosed if an attacker efficiently exploited this vulnerability is a bit deal with from a distant ALPC port which is user-mode reminiscence.”
CVE-2026-20805 was found by Microsoft’s personal researchers, however the tech large doesn’t seem to have shared any info on the assaults exploiting the zero-day.
Development Micro’s ZDI believes menace actors have doubtless exploited the flaw in focused assaults, as a part of an exploit chain the place the deal with obtained on account of CVE-2026-20805’s exploitation is helpful for reaching arbitrary code execution.
“This exhibits how reminiscence leaks might be as essential as code execution bugs since they make the RCEs dependable,” famous ZDI’s Dustin Childs.Commercial. Scroll to proceed studying.
Two Home windows vulnerabilities patched this month have been disclosed publicly earlier than the fixes turned out there: CVE-2026-21265 (Safe Boot bypass) and CVE-2023-31096 (privilege escalation).
Based mostly on Microsoft’s evaluation, solely the latter is ‘extra doubtless’ to be exploited within the wild.
Eight Home windows and Workplace vulnerabilities patched this month have been assigned a essential severity score. A majority might be exploited for distant code execution, and a pair for privilege escalation.
Along with Home windows and Workplace functions, Microsoft has resolved vulnerabilities in Azure and SharePoint.
Associated: Microsoft Patches 57 Vulnerabilities, Three Zero-Days
Associated: Microsoft Patches Actively Exploited Home windows Kernel Zero-Day
Associated: Microsoft Bug Bounty Program Expanded to Third-Social gathering Code
